Beefy Boxes and Bandwidth Generously Provided by pair Networks
Think about Loose Coupling
 
PerlMonks  

Re: Re: Re: Using MD5 and the theory behind it

by rpc (Monk)
on Jan 11, 2001 at 04:11 UTC ( #51027=note: print w/replies, xml ) Need Help??


in reply to Re: Re: Using MD5 and the theory behind it
in thread Using MD5 and the theory behind it

Your method is not 'totally secure' because you have to store the nonce in a database. If you generate a SID from an MD5 digest based on user authentication information, this hash does not have to be stored. It can be generated when the cookie is inspected.

Also if you run a large site with millions of users, your source of entropy can be depleated quickly, negating any security you would have gained.

  • Comment on Re: Re: Re: Using MD5 and the theory behind it

Replies are listed 'Best First'.
Re: Re: Re: Re: Using MD5 and the theory behind it
by gildir (Pilgrim) on Jan 11, 2001 at 14:02 UTC
    That's really an academic debate. I should argue that your scheme depends on security of MD5 algorithm and therefore cannot be more secure than MD5. History shows that even cryptographic hashes has some problems, and if I recall correctly, some of the MD-series hashes did have problems.

    OTOH, my scheme depends only on security of server, and if attacker can read data from server's database, it will not look at nonce, but directly at the target data stored here. Authentication is here not only for authentication itself, but for data protection, and there is no point making authentication stronger than protection of data itself.

    And if I have large site, my entropy pool gets exhausted by SSL subsystem in the firts place, so I will need HW crypto-card (RND-generator) anyway.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://51027]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others taking refuge in the Monastery: (5)
As of 2023-01-30 11:01 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found

    Notices?